312-50V10 · Question #308
What is the best defense against privilege escalation vulnerability?
The correct answer is C. Run services with least privileged accounts and implement multi-factor authentication and. The best defense against privilege escalation combines least-privilege service accounts with multi-factor authentication to limit and verify elevated access.
Question
What is the best defense against privilege escalation vulnerability?
Options
- APatch systems regularly and upgrade interactive login privileges at the system administrator level.
- BRun administrator and applications on least privileges and use a content registry for tracking.
- CRun services with least privileged accounts and implement multi-factor authentication and
- DReview user roles and administrator privileges for maximum utilization of automation services.
How the community answered
(59 responses)- A14% (8)
- B5% (3)
- C71% (42)
- D10% (6)
Why each option
The best defense against privilege escalation combines least-privilege service accounts with multi-factor authentication to limit and verify elevated access.
Patching alone is useful but 'upgrading interactive login privileges at the system administrator level' directly contradicts least-privilege principles and increases the escalation risk.
A 'content registry for tracking' is not a recognized security control against privilege escalation and does not restrict what a compromised account can do.
Running services and processes under least-privileged accounts minimizes the damage an attacker can cause if they compromise a service, because the account has no unnecessary rights to escalate from. Adding multi-factor authentication ensures that even stolen credentials cannot be used alone to authenticate into higher-privilege contexts. Together these controls address both the attack surface and the authentication vector most commonly exploited in privilege escalation.
'Maximum utilization of automation services' has no direct security benefit and does not address the access control weaknesses that enable privilege escalation.
Concept tested: Least privilege and MFA defense against privilege escalation
Source: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models
Topics
Community Discussion
No community discussion yet for this question.